[systemd-devel] "Failed to determine peer security context: Protocol not available" on kernels with disabled selinux
Igor Zhbanov
izh1979 at gmail.com
Tue Nov 10 11:53:12 PST 2015
Hi!
I see lots of messages (with systemd debug enabled) on the kernel with
selinux disabled:
systemd[1]: Failed to determine peer security context: Protocol not available
As I understand, this happen because getsockopt() returns ENOPROTOOPT,
and systemd
checks for EOPNOTSUPP.
Consider getpeersec() in src/basic/socket-util.c:
int getpeersec(int fd, char **ret) {
socklen_t n = 64;
char *s;
int r;
assert(fd >= 0);
assert(ret);
s = new0(char, n);
if (!s)
return -ENOMEM;
r = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, s, &n);
if (r < 0) {
free(s);
if (errno != ERANGE)
return -errno;
s = new0(char, n);
if (!s)
return -ENOMEM;
r = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, s, &n);
if (r < 0) {
free(s);
return -errno;
}
}
if (isempty(s)) {
free(s);
return -EOPNOTSUPP;
}
*ret = s;
return 0;
}
and how it's used in bus_get_peercred() in src/libsystemd/sd-bus/bus-socket.c:
static void bus_get_peercred(sd_bus *b) {
int r;
assert(b);
/* Get the peer for socketpair() sockets */
b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0;
/* Get the SELinux context of the peer */
r = getpeersec(b->input_fd, &b->label);
if (r < 0 && r != -EOPNOTSUPP)
log_debug_errno(r, "Failed to determine peer security
context: %m");
}
When errno == ENOPROTOOPT (as in the case when both SMACK and selinux
are disabled),
debug message will be produced.
I think, it could be fixed like this:
--- socket-util.c 2015-11-10 19:21:47.730455553 +0000
+++ socket-util-new.c 2015-11-10 19:52:19.169268637 +0000
@@ -844,6 +844,9 @@ int getpeersec(int fd, char **ret) {
if (r < 0) {
free(s);
+ if (errno == ENOPROTOOPT)
+ return -EOPNOTSUPP;
+
if (errno != ERANGE)
return -errno;
More information about the systemd-devel
mailing list